ASA 5510 VPN Site To Site problems

Unanswered Question
Sep 18th, 2008

Dear Experts,

I have set a site to site VPN in two ASA5510 Firewall.

The setting of IKE, ENCRYPTION are the same. But don't know why I do some actions such as ping and telnet, the result also request timeout.

Attached document shows two logs from the ASA when I do the ping action, although the ping action dose not work. But I can see the VPN connection seems to be established.

Here is some information.

Site A: 202.120.70.70

LOCAL IP: 192.168.96.0

Site B: 217.17.146.46

LOCAL IP : 10.1.1.0

VPN SETTING IN BOTH SIDE.

IKE : 3DES, SHA, DHG : 2

ENCRYTION: 3DES, SHA, PFS: DHG2

PROTECTED NETWORK

Local Remote Site

192.168.96.0 & 10.1.1.0 A

10.1.1.0 & 192.168.96.0 B

Experts, Any problems, any trouble shoot skills?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
djemba-djemba Fri, 09/19/2008 - 01:53

I use the ADSM for setting the VPN, I think it automatically processed and should be default setting.

Do you have any format of the statement?

I mean such as:

Site a, INF outside, allow, Site A IP / Site B IP.

Thanks Very Much

singhsaju Thu, 09/18/2008 - 05:50

If you have properly applied Nat exemption for your protected networks traffic,

Can you remove PFS from both sides and then check ?

HTH

Saju

Pls rate helpful posts

djemba-djemba Fri, 09/19/2008 - 01:56

One of my firewall is 5510 K9 with security license, I can not disable the PFS on that Firewall, I think it set to DFG 2 by default.

But I have tested to remove the Nat Exemption on both side, still nothing changed.

Sorry, I am a beginner, thanks for your patient.

Thanks! Experts!

djemba-djemba Mon, 09/22/2008 - 06:15

Suppose I want to post the running config here,

But , today, I found that, When I re-config a VPN (one end is using cisco 5510, one end is using netscreen firewall), The VPN I think has been established, But It is so strange, I can ping some servers / pc from netscreen 's network to Cisco's network, but some can not ping, I can reach some web server's page in the cisco's network, but some can not.

But the access-rule I already set permit all the communication between two site's device.

What do you think?

sometime,

when I do the ping, the ping was request timeout, But in the log of the 5510, I saw the build icmp from the log, then teardown it.

But no reasons and no errors.

Do you think it is caused by the switch, not the rule of firewall?

And sometime,

When I do some ping to some of the servers in 5510's network, it displayed a message such as no translation from IP of the src and dst IP.

But suppose two networks are fully permitted.

Please, help me.

Thanks !!!

sarikareddy Sun, 09/21/2008 - 01:09

have you allowed icmp at the outside interface and telnet too.

try :

icmp permit any outside .

Remember , you can't access the device from outside interface without ipsec enabled.What it means is , you need to make a secure tunnel first, then give telnet permissions.I would personally suggest you to use SSH.

Type

ssh 0.0.0.0 0.0.0.0 outside

djemba-djemba Sun, 09/21/2008 - 18:25

Thanks,

I already set (src)Any (dst)Any IP on outside interface.

It seems still not work.

jjoseph01 Mon, 09/22/2008 - 07:07

can you post the configs of both so we can see the whole configuration?

djemba-djemba Tue, 09/23/2008 - 19:44

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks

djemba-djemba Tue, 09/23/2008 - 20:13

Sorry, the past post has not attach the "show" config file.

nameif WebServer), because it is not relate to my current problems. Thanks>

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks

Attachment: 

Actions

This Discussion